Skip to main content

Impact & Risk Analysis

  • Severity: Medium
  • CIS Benchmark: CIS 5.1.5
  • Impact: Implicit Privilege & Audit Gaps. Every namespace has a default service account. If you do not specify a service account for a Pod, it uses this default one. If this account is inadvertently granted permissions, every pod in that namespace inherits those permissions. This makes it impossible to audit which specific application performed an action and violates the principle of least privilege.

Common Misconfiguration

Leaving automountServiceAccountToken: true (the default) on the default service account. This means every pod gets a JWT token mounted at /var/run/secrets/kubernetes.io/serviceaccount, even if the application doesn’t need to talk to the Kubernetes API.

Vulnerable Example

# Vulnerable Service Account (Default)
apiVersion: v1
kind: ServiceAccount
metadata:
  name: default
  namespace: my-app
# VULNERABLE: Tokens are mounted automatically to all pods
automountServiceAccountToken: true

Secure Example

# Secure Service Account (Default)
# We disable token mounting to prevent unused tokens from existing in pods
apiVersion: v1
kind: ServiceAccount
metadata:
  name: default
  namespace: my-app
# SECURE: No token is mounted unless explicitly requested
automountServiceAccountToken: false


# Secure Workload
# Use a specific, dedicated service account for apps that NEED access
apiVersion: v1
kind: Pod
metadata:
  name: my-api-client
spec:
  # SECURE: Explicitly use a custom service account
  serviceAccountName: my-custom-sa
  containers:
  - name: app
    image: my-app:latest

Audit Procedure

For each namespace in the cluster, ensure that the automountServiceAccountToken setting is set to false for the default service account. 
# Check all default service accounts
kubectl get serviceaccounts --all-namespaces -o jsonpath='{range .items[?(@.metadata.name=="default")]}{.metadata.namespace}{": "}{.automountServiceAccountToken}{"\n"}{end}'
  • Result: The output should show false for every namespace.
  • Fail: If the output shows true or is empty (which implies true by default).
Additionally, verify that no Roles or ClusterRoles are bound to the default service account.

Remediation

  1. Create Explicit Accounts: Create specific service accounts for any workload that actually requires access to the Kubernetes API.
  2. Disable Default Token: Modify the default service account in every namespace to disable automatic token mounting.
kubectl patch serviceaccount default -p '{"automountServiceAccountToken": false}'